Embedded malware hidden in image files

Trent Nouveau, 12th August 2010

The malware - which is currently circulating on 4chan message boards - apparently represents the next stage in the evolution of a threat known as 4chan.js which first appeared in 2008.

Unsurprisingly, the latest iteration of 4chan.js relies on a user's trust of image file formats and unfamiliarity with the .HTA format.

"The [infected] .PNG file stores the data in a compressed format [which] is quite innocuous. Did you notice the fuzz at the bottom of the images shown above? This is actually compressed data that is stored in the image," explained MMPC researcher Michael Johnson.

"Users may follow the instructions in the .PNG and save the file as a bitmap (.BMP) with the .HTA extension. It is [now clear that the] decompressed file contains an image, some JavaScript and one or more executable files."

According to Johnson, the above-mentioned method allows the malware to repackage itself, beat the CAPTCHA mechanism employed by 4Chan and send itself to the 4Chan bulletin board.

"We detect the dropped JavaScript as Trojan:JS/Chafpin.gen!A and now [identify] three versions of this trojan as the malware authors [evolve] their methods.

"In the third method we saw, the bitmap was created with random variables each time it was run....4Chan [is] taking steps to prevent user infection by closing affected threads."

Johnson also noted that the malware authors assume the user will follow instructions purely out of interest, or to see what will happen.

"[Of course] most users are likely to trust an image format and might not realize that the same image file can contain an embedded malicious script.

"[So], here at the MMPC we suggest that you do not follow the instructions of random pictures that you see, especially if the instructions involve altering the file in any way and then running it. In fact, we would suggest just not running random .HTA files at all."